General Info

File name

setup.exe

Full analysis
https://app.any.run/tasks/c5aab5c0-b3dd-4041-a6d1-8a4accef7de0
Verdict
Malicious activity
Analysis date
12/6/2018, 12:26:44
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

installer

trojan

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

d9f6bedead8da035419ee1a5074d2c46

SHA1

9215dcca4202cba8c378ace86f9ce555d653e30c

SHA256

aee3330b6d05ffcf896976a9726d5fa6d18971838d9c61d8a72b75b53ef420a6

SSDEEP

98304:nf7wCQInrje/CAVMJhk7vBxGpSl0VJQictn5hWGLYaf7EAeT3NmnN:nfn6/VSGBxGpLcttn5cajemN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • _iu14D2N.tmp (PID: 2108)
Application was dropped or rewritten from another process
  • _iu14D2N.tmp (PID: 2108)
  • unins000.exe (PID: 3360)
Reads the Windows organization settings
  • setup.tmp (PID: 2636)
  • _iu14D2N.tmp (PID: 2108)
Reads Windows owner or organization settings
  • setup.tmp (PID: 2636)
  • _iu14D2N.tmp (PID: 2108)
Executable content was dropped or overwritten
  • setup.tmp (PID: 2636)
  • _iu14D2N.tmp (PID: 2108)
  • unins000.exe (PID: 3360)
  • setup.exe (PID: 1704)
Starts application with an unusual extension
  • unins000.exe (PID: 3360)
Application was dropped or rewritten from another process
  • FlushFileCache.exe (PID: 3816)
  • setup.tmp (PID: 2636)
Loads dropped or rewritten executable
  • setup.tmp (PID: 2636)
Creates a software uninstall entry
  • setup.tmp (PID: 2636)
Dropped object may contain Bitcoin addresses
  • setup.tmp (PID: 2636)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Inno Setup installer (77.7%)
.exe
|   Win32 Executable Delphi generic (10%)
.dll
|   Win32 Dynamic Link Library (generic) (4.6%)
.exe
|   Win32 Executable (generic) (3.1%)
.exe
|   Win16/32 Executable Delphi generic (1.4%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2012:10:02 07:04:04+02:00
PEType:
PE32
LinkerVersion:
2.25
CodeSize:
86016
InitializedDataSize:
53760
UninitializedDataSize:
null
EntryPoint:
0x16478
OSVersion:
5
ImageVersion:
6
SubsystemVersion:
5
Subsystem:
Windows GUI
FileVersionNumber:
0.0.0.0
ProductVersionNumber:
0.0.0.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Neutral
CharacterSet:
Unicode
Comments:
This installation was built with Inno Setup.
CompanyName:
FileDescription:
Divinity: Original Sin 2 Setup
FileVersion:
LegalCopyright:
FitGirl
ProductName:
Divinity: Original Sin 2
ProductVersion:
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
02-Oct-2012 05:04:04
Detected languages
Chinese - PRC
English - United States
Comments:
This installation was built with Inno Setup.
CompanyName:
null
FileDescription:
Divinity: Original Sin 2 Setup
FileVersion:
null
LegalCopyright:
FitGirl
ProductName:
Divinity: Original Sin 2
ProductVersion:
null
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0050
Pages in file:
0x0002
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x000F
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x001A
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000100
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
8
Time date stamp:
02-Oct-2012 05:04:04
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x000143F8 0x00014400 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.4822
.itext 0x00016000 0x00000BE8 0x00000C00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.01516
.data 0x00017000 0x00000D9C 0x00000E00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 2.66929
.bss 0x00018000 0x00005750 0x00000000 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.idata 0x0001E000 0x00000F9E 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 4.96778
.tls 0x0001F000 0x00000008 0x00000000 IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rdata 0x00020000 0x00000018 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 0.190489
.rsrc 0x00021000 0x0000B200 0x0000B200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.15886
Resources
1

2

3

4

4091

4092

4093

4094

4095

4096

11111

CHARTABLE

DVCLAL

PACKAGEINFO

MAINICON

Imports
    oleaut32.dll

    advapi32.dll

    user32.dll

    kernel32.dll

    comctl32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
43
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

+
drop and start start drop and start drop and start drop and start setup.exe no specs setup.exe setup.tmp flushfilecache.exe no specs unins000.exe _iu14d2n.tmp
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3136
CMD
"C:\Users\admin\AppData\Local\Temp\setup.exe"
Path
C:\Users\admin\AppData\Local\Temp\setup.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Description
Divinity: Original Sin 2 Setup
Version
Modules
Image

PID
1704
CMD
"C:\Users\admin\AppData\Local\Temp\setup.exe"
Path
C:\Users\admin\AppData\Local\Temp\setup.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Version:
Company
Description
Divinity: Original Sin 2 Setup
Version
Modules
Image
c:\users\admin\appdata\local\temp\setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\is-ad0bj.tmp\setup.tmp

PID
2636
CMD
"C:\Users\admin\AppData\Local\Temp\is-AD0BJ.tmp\setup.tmp" /SL5="$40190,5611799,140800,C:\Users\admin\AppData\Local\Temp\setup.exe"
Path
C:\Users\admin\AppData\Local\Temp\is-AD0BJ.tmp\setup.tmp
Indicators
Parent process
setup.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
Setup/Uninstall
Version
51.1052.0.0
Modules
Image
c:\users\admin\appdata\local\temp\is-ad0bj.tmp\setup.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\version.dll
c:\windows\system32\mpr.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\users\admin\appdata\local\temp\is-1gs7r.tmp\_isetup\_shfoldr.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcryptprimitives.dll
c:\users\admin\appdata\local\temp\is-1gs7r.tmp\idp.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\is-1gs7r.tmp\innocallback.dll
c:\users\admin\appdata\local\temp\is-1gs7r.tmp\isdone.dll
c:\windows\system32\imageres.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\msftedit.dll
c:\users\admin\appdata\local\temp\is-1gs7r.tmp\wintb.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\users\admin\appdata\local\temp\is-1gs7r.tmp\bass.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\windows\system32\audioses.dll
c:\windows\system32\avrt.dll
c:\users\admin\appdata\local\temp\is-1gs7r.tmp\callbackctrl.dll
c:\users\admin\appdata\local\temp\is-1gs7r.tmp\botva2.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\is-1gs7r.tmp\flushfilecache.exe
c:\games\divinity - original sin 2\unins000.exe

PID
3816
CMD
"C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\FlushFileCache.exe"
Path
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\FlushFileCache.exe
Indicators
No indicators
Parent process
setup.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\is-1gs7r.tmp\flushfilecache.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3360
CMD
"C:\Games\Divinity - Original Sin 2\unins000.exe" /VERYSILENT
Path
C:\Games\Divinity - Original Sin 2\unins000.exe
Indicators
Parent process
setup.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Setup/Uninstall
Version
51.1052.0.0
Modules
Image
c:\games\divinity - original sin 2\unins000.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\version.dll
c:\windows\system32\mpr.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\temp\_iu14d2n.tmp

PID
2108
CMD
"C:\Users\admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Games\Divinity - Original Sin 2\unins000.exe" /FIRSTPHASEWND=$30206 /VERYSILENT
Path
C:\Users\admin\AppData\Local\Temp\_iu14D2N.tmp
Indicators
Parent process
unins000.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Setup/Uninstall
Version
51.1052.0.0
Modules
Image
c:\users\admin\appdata\local\temp\_iu14d2n.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\version.dll
c:\windows\system32\mpr.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\users\admin\appdata\local\temp\is-bb1h6.tmp\_isetup\_shfoldr.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

Registry activity

Total events
677
Read events
307
Write events
367
Delete events
3

Modification events

PID
Process
Operation
Key
Name
Value
2636
setup.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Owner
4C0A00000A662D9E568DD401
2636
setup.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
SessionHash
A6D3430B74403848407E2D043D7DA509738BF0181439511ED17CE92AE64757E9
2636
setup.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Sequence
1
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\DirectSound\Speaker Configuration
Speaker Configuration
4
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASAPI32
EnableFileTracing
0
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASAPI32
EnableConsoleTracing
0
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASAPI32
FileTracingMask
4294901760
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASAPI32
ConsoleTracingMask
4294901760
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASAPI32
MaxFileSize
1048576
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASAPI32
FileDirectory
%windir%\tracing
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASMANCS
EnableFileTracing
0
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASMANCS
EnableConsoleTracing
0
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASMANCS
FileTracingMask
4294901760
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASMANCS
ConsoleTracingMask
4294901760
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASMANCS
MaxFileSize
1048576
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASMANCS
FileDirectory
%windir%\tracing
2636
setup.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2636
setup.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2636
setup.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2636
setup.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2636
setup.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
RegFiles0000
C:\Games\Divinity - Original Sin 2\_Redist\vcredist_x86_2015_x86.exe
2636
setup.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
RegFilesHash
9ABA3093E49D58A82A5B8E447AF89304C87E97E611D1F767FC337E626F2A36F7
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
C:\Games\Divinity - Original Sin 2\bin\EoCApp.exe
RUNASADMIN
2636
setup.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
C:\Games\Divinity - Original Sin 2\bin\EoCApp.exe
RUNASADMIN
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
Inno Setup: Setup Version
5.5.1.ee2 (u)
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
Inno Setup: App Path
C:\Games\Divinity - Original Sin 2
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
InstallLocation
C:\Games\Divinity - Original Sin 2\
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
Inno Setup: Icon Group
Games\Divinity - Original Sin 2
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
Inno Setup: No Icons
1
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
Inno Setup: User
admin
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
Inno Setup: Setup Type
custom
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
Inno Setup: Selected Components
text,directx,vc_2015_x86,vc_2015_x64,dotnet35,dotnet35cp,dotnet4full
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
Inno Setup: Deselected Components
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
Inno Setup: Language
en
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
DisplayName
Divinity: Original Sin 2
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
UninstallString
"C:\Games\Divinity - Original Sin 2\unins000.exe"
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
UninstallDataFile
C:\Games\Divinity - Original Sin 2\unins000.dat
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
QuietUninstallString
"C:\Games\Divinity - Original Sin 2\unins000.exe" /SILENT
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
NoModify
1
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
NoRepair
1
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
InstallDate
20181206
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
EstimatedSize
62979904
2636
setup.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
GlobalAssocChangedCounter
52
3360
unins000.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
PendingFileRenameOperations
\??\C:\Users\admin\AppData\Local\Temp\_iu14D2N.tmp
2108
_iu14D2N.tmp
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Divinity: Original Sin 2_is1
2108
_iu14D2N.tmp
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
2108
_iu14D2N.tmp
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
2108
_iu14D2N.tmp
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2108
_iu14D2N.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage
FavoritesRemovedChanges
5
2108
_iu14D2N.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage
FavoritesRemovedChanges
6

Files activity

Executable files
54
Suspicious files
0
Text files
31
Unknown types
4

Dropped files

PID
Process
Filename
Type
1704
setup.exe
C:\Users\admin\AppData\Local\Temp\is-AD0BJ.tmp\setup.tmp
executable
MD5: ae9890548f2fcab56a4e9ae446f55b3f
SHA256: 09af8004b85478e1eca09fa4cb5e3081dddcb2f68a353f3ef6849d92be47b449
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\cls-lolly_x86.exe
executable
MD5: 9a993745face8b99d0c3b873a0b7627a
SHA256: 97359790449fc59577d9d5d0ebcefd289d1cf95bb632ef58286f39b744c5313e
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\_Redist\vcredist_x64_2015_x64.exe
executable
MD5: 27b141aacc2777a82bb3fa9f6e5e5c1c
SHA256: 5eea714e1f22f1875c1cb7b1738b0c0b1f02aec5ecb95f0fdb1c5171c6cd93a3
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\cls-lolly.dll
executable
MD5: 0ef04bc15fd1b28975aff2951b857f03
SHA256: f84677643d9977aa1e8a4aa8c85a12665d29a4e8292485a0b4df846dd161f824
2108
_iu14D2N.tmp
C:\Users\admin\AppData\Local\Temp\is-BB1H6.tmp\_isetup\_shfoldr.dll
executable
MD5: 92dc6ef532fbb4a5c3201469a5b5eb63
SHA256: 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\_Redist\vcredist_x86_2015_x86.exe
executable
MD5: 1a15e6606bac9647e7ad3caa543377cf
SHA256: fdd1e1f0dcae2d0aa0720895eff33b927d13076e64464bb7c7e5843b7667cd14
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\_Redist\dxwebsetup.exe
executable
MD5: 56d52c503adf02184f19eee4767ef60a
SHA256: ed79c8f65b02ed83d5db8c355328294a73dc447f08f657312bf8f3a5b40c7494
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\cls-lolzx_x86.exe
executable
MD5: f3007c549b5c2c405dade6af8d752b85
SHA256: 77b920a22f93f87d2624b58f729712ebacaf8b605437c2678ca4216a28f3b8b2
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\_Redist\QuickSFV.EXE
executable
MD5: 4b1d5ec11b2b5db046233a28dba73b83
SHA256: a6371461da7439f4ef7008ed53331209747cba960b85c70a902d46451247a29c
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\cls-lolzi_x64.exe
executable
MD5: 1cdf04881eb33f5d2cdde21f4d1934e7
SHA256: 8ce66660890d99e78a86ef24f185d189eb01dfe3e7028c360958016281d10c89
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\unarc.dll
executable
MD5: da1fe7b7699ee3d96c2056b09e580129
SHA256: 7ded3fb8947e3b42c157de34ac8a6340c75cbea54bc44a949c4e5124c72f14bc
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\cls-lollypop.dll
executable
MD5: 0ef04bc15fd1b28975aff2951b857f03
SHA256: f84677643d9977aa1e8a4aa8c85a12665d29a4e8292485a0b4df846dd161f824
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\cls-lolzx.dll
executable
MD5: a67af01bf2fe22da108a7714b369d33f
SHA256: 7429467f7a2b73f0aaf609f34f4e3385edadc7f7014d97986acc31f5293d171c
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\unins000.exe
executable
MD5: 72729d5cf139ba0b9b2923e97807e402
SHA256: 42e5abe8ae6533a03cbcb7541461759f23633ea3203cb83c5635cd5af976ae55
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\CLS-precomp.dll
executable
MD5: bd37d733c382b865eab060cd74dcc605
SHA256: 55b217742bd9b6e9586b7968cf66e1f97c1af5245a3034ce35c9872c7ee9671e
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\cls-lollypop_x86.exe
executable
MD5: 3527c6739c46f4ee1cfb6b48e1407883
SHA256: 724c6e07180e321298b4ea4405c3f7536c524d9826d24f5d6fc50bcb0ef8f723
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\cls-lolzx_x64.exe
executable
MD5: 1aa4f56cfd9d0685b03807626e12df9a
SHA256: 4cb2243d60b3c84683f88f97394dd020be455196aa61a414a358a77d67bf902e
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\vcredist_x86_2015_x86.exe
executable
MD5: 1a15e6606bac9647e7ad3caa543377cf
SHA256: fdd1e1f0dcae2d0aa0720895eff33b927d13076e64464bb7c7e5843b7667cd14
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\packjpg_dll.dll
executable
MD5: 44f8a8931122759cc34fa8911a3bfe1e
SHA256: 06c9508f8368964338e5c1481457640d0776fe6d721bc0b8eaf7a495ee66d8b8
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\cls-lollypop_x64.exe
executable
MD5: 5b848a24126f54a2c3c7b7393b536d33
SHA256: 2d32c4f4522bc62f63c7949313434f6ca0eaa6b65b44ee5aa8b6b877988b1aa8
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\cls-lolzi_x86.exe
executable
MD5: 2a108c93dfcf6b488880d0423d1f0ec7
SHA256: cbc1d8a42ac2ff81c1f0d817312867d86a4ec2a7058d56e56c282f062113b9e0
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\vcredist_x64_2015_x64.exe
executable
MD5: 27b141aacc2777a82bb3fa9f6e5e5c1c
SHA256: 5eea714e1f22f1875c1cb7b1738b0c0b1f02aec5ecb95f0fdb1c5171c6cd93a3
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\packjpg_dll1.dll
executable
MD5: ae65946e7d9c104afaaf3998e92e655b
SHA256: 8a9e1e4868ddcd1ab0ff78b6fce41a67860a786d14d77e2730512269754d6fd0
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\cls-lollypop2_x64.exe
executable
MD5: 972b6b6c4d62dad741d0f475c1a7d9d8
SHA256: 10cf4fa3d991066c03725d143837c0b5bb2513f526bf182bec9da1ca06110a0b
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\cls-lolzi.dll
executable
MD5: cee3ab80e46ce04db82677285f268c62
SHA256: 19b0633a0e37993f25eb9ec986be3916c4cdc9fd0b1ceeb85d6256b68ef00e6e
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\zlibwapi.dll
executable
MD5: dd91e4c7d445c31682ebdd22e732d93d
SHA256: 1f047faec08d9a35c304fb4a7cf13853589359a8f7cbfdd48c5d5807712dcf05
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\precomp.exe
executable
MD5: ac33b250d1bb0156bb02aef96ae22733
SHA256: a5f0564caadc1b936e5c30c390fbd32b63665bbdc5e272f24f2995dabd9ff245
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\cls-lollypop2.dll
executable
MD5: 9e1e200472d66356a4ae5d597b01dabc
SHA256: 87df573ac240e09ea4941e169fb2d15d5316a1b0e053446b8144e04b1154f061
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\BASS.dll
executable
MD5: 8005750ec63eb5292884ad6183ae2e77
SHA256: df9f56c4da160101567b0526845228ee481ee7d2f98391696fa27fe41f8acf15
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\xtool.exe
executable
MD5: 6fd6e61f1e386b5ed76ee294a1ea806e
SHA256: 0bb81d315a5c73509ea33aded9ce932457a68c7a694c697ae5da1796c80b7a14
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\zlib1.dll
executable
MD5: 86286252abcf1550850a0822a21f14d1
SHA256: 4ad2098b625b99c00aa8b44f27829649634c08299a48f1cea2124a0a91c1d12d
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\cls-srep_x86.exe
executable
MD5: fc7dd2ca9f47d64edd3b2061cd8db1b3
SHA256: 4004ba624f8ce381c61c82aba26e246d93e833357930c17cd4b02058ea31fad4
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\wintb.dll
executable
MD5: 9436df49e08c83bad8ddc906478c2041
SHA256: 1910537aa95684142250ca0c7426a0b5f082e39f6fbdbdba649aecb179541435
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\hif2raw_dll.dll
executable
MD5: 279bb94cb9db6603761e393c201e7e20
SHA256: 949db25933d9ced53e21082cd016d623b8325bd5e614371238c26f6c36f26458
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\CLS-srep.dll
executable
MD5: bcd4ebd26140038f1e45ba5c639d9ad4
SHA256: 39c965edc8f577695dadd68d6d40ace4e1e17625ca4669e3f1321b6b26e470c7
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\cls-srep_x64.exe
executable
MD5: 6ae2add85ec2b642d865ffaaa391d5bb
SHA256: ed8a485b9984997306ea6b5c6d98b5026a5b7903c1df4c229bf93bf113c78ee9
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\ISDone.dll
executable
MD5: 4feafa8b5e8cdb349125c8af0ac43974
SHA256: bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\cls-lollypop2_x86.exe
executable
MD5: 5d516c2c8ac8da1d96dd896d626e573a
SHA256: 9d3abe04eb6a923769a9583d940d5b33258950d69c71528d66b2653f1f37462e
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\facompress.dll
executable
MD5: fb5ecb3f135465ac61a78ca3c177485c
SHA256: 148fa9a255bfff3f7d8a74f25394944f20611af31f26ef9700cbc0edc19a3483
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\FlushFileCache.exe
executable
MD5: df77f2b6126f4f258f2e952b53b22879
SHA256: a4cc6683393795f7b84d0b49eea2d7d7fbe1392bb7612cf39896af6832ffe0b8
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\innocallback.dll
executable
MD5: 1c55ae5ef9980e3b1028447da6105c75
SHA256: 6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\CallbackCtrl.dll
executable
MD5: f07e819ba2e46a897cfabf816d7557b2
SHA256: 68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\precomp043.exe
executable
MD5: ac33b250d1bb0156bb02aef96ae22733
SHA256: a5f0564caadc1b936e5c30c390fbd32b63665bbdc5e272f24f2995dabd9ff245
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\botva2.dll
executable
MD5: 67965a5957a61867d661f05ae1f4773e
SHA256: 450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\idp.dll
executable
MD5: af555ac9c073f88fe5bf0d677f085025
SHA256: f4fc0187491a9cb89e233197ff72c2405b5ec02e8b8ea640ee68d034ddbc44bb
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\raw2hif_dll.dll
executable
MD5: 5670e72c9e7d5611d1051d44c000b4e9
SHA256: 269513987303f63551f43d63d2b0972e297c41aa1db63bdef4fe2502e7fc095e
3360
unins000.exe
C:\Users\admin\AppData\Local\Temp\_iu14D2N.tmp
executable
MD5: 72729d5cf139ba0b9b2923e97807e402
SHA256: 42e5abe8ae6533a03cbcb7541461759f23633ea3203cb83c5635cd5af976ae55
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\rzw.exe
executable
MD5: 7ad88e752ab85ccfac386ad7a25feea9
SHA256: 52c28d2f80b18bd237de3243fdbe326ab1bd278ba52026ee524431f16aa52905
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\_isetup\_shfoldr.dll
executable
MD5: 92dc6ef532fbb4a5c3201469a5b5eb63
SHA256: 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\x.exe
executable
MD5: 5e26d095f0d3e5b5f5a3fb77ac441573
SHA256: 9bf8d067de9448e521afe1f8108caa0f85b4b7c7933641efd44bc43533920565
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\rz.exe
executable
MD5: f9a4232ab15d62ccebe80546b0dad97b
SHA256: 4a4c7c3705b493944367d390a2256ba1f65a358a2411580fac28075caf934a0d
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\fit.exe
executable
MD5: ab0a3a6bc7ddbd8cc88cf2ce595a14d8
SHA256: cfe728da71051b559ef708dd57dc10b08cadf2d6a636739b6a156ea94a75eaff
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\sfk.exe
executable
MD5: 4e461add08b9a97def0a9966ad91aae6
SHA256: 6be49696d5700a5f68feb8090c41dc1d1497df5e7f7110290b315b8aee6d87b7
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\cls-lolly_x64.exe
executable
MD5: 816e95c6bfe26a139b0e628954d191da
SHA256: a6c62fc3c84d2701bc21bc916dab3b0b079e7e56890a075d66cb0f20459cbcd3
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\Spanish.bat
text
MD5: 04692c4c8891474264963e9a5f73eaef
SHA256: 443c9f56b7a18666bf99e67d9e7aec9b6a22b5ae0036d1ec748b781569a1a7e7
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\is-FHKOI.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\Russian.bat
text
MD5: 31ad7092c1260a8ff9e821072dc33deb
SHA256: 0682c1f53696035cfd55aebbc44afe6e87459b3fd64556303c439d07c3f85823
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\is-SRAF4.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\Polish.bat
text
MD5: 74a33c299ab19116c76b8d87ee19fd9a
SHA256: 3b1154620278adf3d14c528479e04926b0bfd7a96c63cae7aaa6522b548befb4
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\is-T1G09.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\German.bat
text
MD5: 1cdf4ef9219d29f51b6ec14b64fa5539
SHA256: e878f6f0b06e60b3d91cef37c69cb49dedac8827b5cd5e5f5af12472efd8dffb
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\is-AH2UI.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\French.bat
text
MD5: 6b1991746c422b0faab79a2c4cfeee50
SHA256: 08def7905251a4b02b63e36687fcd6e41d0ffc2661570a02fbc208c6e6830450
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\is-HNVO2.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\English.bat
text
MD5: c7207a6ae46970e876b2b678f19b9c36
SHA256: 373ccc406364d18998c02094651ba9ea6bbc7366c2497fef9ddc216e62f551aa
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\is-CR2GE.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\Chinese.bat
text
MD5: d57add361e418973dac5985cfd775e22
SHA256: 19e4e90e10189f00146957105333a837abfed30202b7ae01f2b177ce7580893b
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\is-JUP5U.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\_Redist\dotNetFx40_Full_x86_x64.exe
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\_Redist\is-IHAP3.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\_Redist\DotNetFx35Client.exe
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\_Redist\is-0NE16.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\_Redist\dotnetfx35.exe
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\_Redist\is-LI7T8.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\records.inf
text
MD5: 4c9c3168925b1c653be22f18d4e480ac
SHA256: 14cb12a625c958002fc99bf7f97cefece5d1bdd056e5a63b55466db53659aa5d
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\_Redist\is-DFA4A.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\unins000.dat
dat
MD5: 468928c1cc0d1fa26a858f9ce9538dfd
SHA256: 3b0b06b0fa3daa4715fcd2e218a2ae923e832a50c26cc34cc1fb5060e23fa5de
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\_Redist\is-TASRP.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Users\Public\Desktop\Divinity - Original Sin 2 - Definitive Edition.lnk
lnk
MD5: bd73184c947a4c6858847f7855bf3618
SHA256: edbb4fbcdaa17e668753834f5d9fdf733a45e6e9c9a92878628464c4b0807b5f
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\is-8QFF4.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\DotNetFx35Client.exe
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\dotNetFx40_Full_x86_x64.exe
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Users\Public\Desktop\Divinity - Original Sin 2.lnk
lnk
MD5: 81911436b534a3bc92ecc13751a2aaeb
SHA256: f4a041ef87af9bc2065197442525263454d9cf7c7d03afe817db4340865e0af3
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\_Redist\fitgirl.md5
text
MD5: f09422b3eb79d2e78b95fba32967cc67
SHA256: 01e34ed80fa2028a6cf15b29e27b32aff7b1ccd2e20e7182abd19445b9193149
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\dotnetfx35.exe
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\_Redist\is-R3TEP.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\DefEd\Data\Localization\language_ru.lsx
xml
MD5: d81cf0ec828e19a068678ea41559adfd
SHA256: c25e24b3f4ee8f61b0c359a79c1642320e6a8dd0af5ccac34be1ae8fef7eedec
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\DefEd\Data\Localization\is-M5EV9.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\DefEd\Data\Localization\language_pl.lsx
xml
MD5: 20689c558a71404ff12d566bf4296602
SHA256: 67e2e9b7e77fd64374acca60538126175140d5a062865f9472a0dedbc254a3ca
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\DefEd\Data\Localization\is-K0KL7.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\DefEd\Data\Localization\language_fr.lsx
xml
MD5: 3a92574d6907688dcc92363180d198b8
SHA256: 78e384f9ac28a9c7101e7aa794fe0ca6e67f4088b7b9f928996034b372706740
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\DefEd\Data\Localization\is-42US2.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\DefEd\Data\Localization\language_es.lsx
xml
MD5: abb7d9c3b54d72c3b7e14fd4c5947fb7
SHA256: 999d2f3320f1b9e3e99203d681f71a0f356343abffb5c141ff71f7fcacd1e9cd
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\DefEd\Data\Localization\is-BELJM.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\music.mp3
mp3
MD5: 5c3b4b188bc04fa1aa0f83c9706db8ae
SHA256: 19a5466ab1834f9536622d9c540206a0766a7cd6d325d006c9242ed8ac6072f5
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\MusicButton.png
image
MD5: 473a683962d3375a00f93dd8ce302158
SHA256: 7f4ad4d912cdabdfbb227387759db81434e20583687737f263d4f247326f0c1a
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\DefEd\Data\Localization\language_en.lsx
xml
MD5: a8d8ec038605f247372875b4ccba4b58
SHA256: 32be8a4209d66de5cea7a19bcfc3f7eb37b463e98b5a1b285431aec3645c97fb
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\DefEd\Data\Localization\is-DFFSR.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\arc.ini
text
MD5: 7185f865e49453388132a6b1c63242db
SHA256: f3559c6f43743c42cf02e8859e8d8d10e88d7d0152a6f4f32875578090dd20b9
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\CLS.ini
text
MD5: 58a9e70048a786dd0ceb79a9cb4b85a4
SHA256: dcdf3a0a267d29f196b8fc0a811686aabe047b7e49ca10e162aa7e0f9597d4e5
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\DefEd\Data\Localization\language_de.lsx
xml
MD5: fbd838bfde6e055ba53a1e3b555485ac
SHA256: bd6db5fd7ffafa566e6f7da21355f5c75daea84a7a1d247f8bc239112ead8cd1
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\DefEd\Data\Localization\is-S2QEU.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\DefEd\Data\Localization\language_cn.lsx
xml
MD5: 634a6c26c0c333e6c1f6e03fe4755de1
SHA256: 398d1415b218d36e3114ce53c90ac9a0cdde0749fdce210d662e5514c04054a5
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\DefEd\Data\Localization\is-NDCLQ.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\Data\Localization\language_ru.lsx
xml
MD5: d81cf0ec828e19a068678ea41559adfd
SHA256: c25e24b3f4ee8f61b0c359a79c1642320e6a8dd0af5ccac34be1ae8fef7eedec
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\Data\Localization\is-KVOB1.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\Data\Localization\language_pl.lsx
xml
MD5: 20689c558a71404ff12d566bf4296602
SHA256: 67e2e9b7e77fd64374acca60538126175140d5a062865f9472a0dedbc254a3ca
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\Data\Localization\is-Q5A1A.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\Data\Localization\language_fr.lsx
xml
MD5: 3a92574d6907688dcc92363180d198b8
SHA256: 78e384f9ac28a9c7101e7aa794fe0ca6e67f4088b7b9f928996034b372706740
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\Data\Localization\is-CDUD7.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\Data\Localization\language_es.lsx
xml
MD5: abb7d9c3b54d72c3b7e14fd4c5947fb7
SHA256: 999d2f3320f1b9e3e99203d681f71a0f356343abffb5c141ff71f7fcacd1e9cd
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\Data\Localization\is-PC6Q2.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\Data\Localization\language_en.lsx
xml
MD5: a8d8ec038605f247372875b4ccba4b58
SHA256: 32be8a4209d66de5cea7a19bcfc3f7eb37b463e98b5a1b285431aec3645c97fb
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\Data\Localization\is-2CFE2.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\Data\Localization\language_de.lsx
xml
MD5: fbd838bfde6e055ba53a1e3b555485ac
SHA256: bd6db5fd7ffafa566e6f7da21355f5c75daea84a7a1d247f8bc239112ead8cd1
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\Data\Localization\is-NB44U.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\Data\Localization\language_cn.lsx
xml
MD5: 634a6c26c0c333e6c1f6e03fe4755de1
SHA256: 398d1415b218d36e3114ce53c90ac9a0cdde0749fdce210d662e5514c04054a5
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\Data\Localization\is-IBPRB.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\_Redist\QuickSFV.ini
text
MD5: c5c28798bca6e9ed5d84fa67b656065a
SHA256: 74ca5a42469197eded04f5a0bf34ca251c72f7cc06a3416ac035230cb8e81629
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\_Redist\is-BVAB3.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\CLS.ini
text
MD5: 2290be98e5ba8401ace0831f94558076
SHA256: 80d8adbe38b3f2bb8c42d273e403dcea568294d5fc2d4361fa9bd8c922837942
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\_Redist\is-LGIA3.tmp
––
MD5:  ––
SHA256:  ––
2636
setup.tmp
C:\Users\admin\AppData\Local\Temp\is-1GS7R.tmp\English.ini
text
MD5: b031bee9106d82782b43bdf5d4ad79b0
SHA256: e1b6f4dc9ba12e110b33d370e8f06f176228059c42754be5da7b92ab939ff38e
2636
setup.tmp
C:\Games\Divinity - Original Sin 2\_Redist\is-8IE3U.tmp
––
MD5:  ––
SHA256:  ––
2108
_iu14D2N.tmp
C:\Games\Divinity - Original Sin 2\unins000.dat
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
6
TCP/UDP connections
6
DNS requests
1
Threats
22

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2636 setup.tmp HEAD 200 2.18.233.19:80 http://download.microsoft.com/download/2/0/E/20E90413-712F-438C-988E-FDAA79A8AC3D/dotnetfx35.exe unknown
––
––
whitelisted
2636 setup.tmp HEAD 200 2.18.233.19:80 http://download.microsoft.com/download/9/3/F/93FCF1E7-E6A4-478B-96E7-D4B285925B00/vc_redist.x64.exe unknown
––
––
whitelisted
2636 setup.tmp HEAD 200 2.18.233.19:80 http://download.microsoft.com/download/9/3/F/93FCF1E7-E6A4-478B-96E7-D4B285925B00/vc_redist.x86.exe unknown
––
––
whitelisted
2636 setup.tmp HEAD 200 2.18.233.19:80 http://download.microsoft.com/download/9/5/A/95A9616B-7A37-4AF6-BC36-D6EA96C8DAAE/dotNetFx40_Full_x86_x64.exe unknown
––
––
whitelisted
2636 setup.tmp HEAD 200 2.18.233.19:80 http://download.microsoft.com/download/c/d/c/cdc0f321-4f72-4a08-9bac-082f3692ecd9/DotNetFx35Client.exe unknown
––
––
whitelisted
2636 setup.tmp GET –– 2.18.233.19:80 http://download.microsoft.com/download/2/0/E/20E90413-712F-438C-988E-FDAA79A8AC3D/dotnetfx35.exe unknown
––
––
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2636 setup.tmp 2.18.233.19:80 Akamai International B.V. –– whitelisted

DNS requests

Domain IP Reputation
download.microsoft.com 2.18.233.19
whitelisted

Threats

PID Process Class Message
2636 setup.tmp A Network Trojan was detected SC TROJAN_DOWNLOADER Possible threat - .exe downloading with HEAD option
2636 setup.tmp A Network Trojan was detected SC TROJAN_DOWNLOADER Possible threat - .exe downloading with HEAD option
2636 setup.tmp A Network Trojan was detected SC TROJAN_DOWNLOADER Possible threat - .exe downloading with HEAD option
2636 setup.tmp A Network Trojan was detected SC TROJAN_DOWNLOADER Possible threat - .exe downloading with HEAD option
2636 setup.tmp A Network Trojan was detected SC TROJAN_DOWNLOADER Possible threat - .exe downloading with HEAD option
2636 setup.tmp Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
2636 setup.tmp Misc activity ET INFO EXE - Served Attached HTTP
2636 setup.tmp Web Application Attack SC WEB_APPLICATION_ATTACK Suspicious Generic - Path Traversal for Unix in Zip archive
2636 setup.tmp unknown SURICATA TCPv4 invalid checksum
2636 setup.tmp unknown SURICATA TCPv4 invalid checksum
2636 setup.tmp unknown SURICATA TCPv4 invalid checksum
2636 setup.tmp unknown SURICATA TCPv4 invalid checksum
2636 setup.tmp unknown SURICATA TCPv4 invalid checksum
2636 setup.tmp unknown SURICATA TCPv4 invalid checksum
2636 setup.tmp unknown SURICATA TCPv4 invalid checksum
2636 setup.tmp unknown SURICATA TCPv4 invalid checksum
2636 setup.tmp unknown SURICATA TCPv4 invalid checksum
2636 setup.tmp Web Application Attack SC WEB_APPLICATION_ATTACK Suspicious Generic - Path Traversal for Unix in Zip archive
2636 setup.tmp unknown SURICATA TCPv4 invalid checksum
2636 setup.tmp unknown SURICATA TCPv4 invalid checksum
2636 setup.tmp unknown SURICATA TCPv4 invalid checksum
2636 setup.tmp unknown SURICATA TCPv4 invalid checksum

Debug output strings

No debug info.